Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Sep 2004 09:41:32 -0500
From:      Norm Vilmer <norm@etherealconsulting.com>
To:        Micheal Patterson <micheal@tsgincorporated.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Too many dynamic rules, sorry
Message-ID:  <414AF79C.4030809@etherealconsulting.com>
In-Reply-To: <020b01c49c76$e3d1ada0$0201a8c0@dredster>
References:  <414A6E9C.4060708@etherealconsulting.com> <020b01c49c76$e3d1ada0$0201a8c0@dredster>

next in thread | previous in thread | raw e-mail | index | archive | help
Micheal Patterson wrote:
> .
> 
> 
> ----- Original Message ----- From: "Norm Vilmer" 
> <norm@etherealconsulting.com>
> To: <freebsd-questions@freebsd.org>
> Sent: Thursday, September 16, 2004 11:57 PM
> Subject: Too many dynamic rules, sorry
> 
> 
>> If I repeatedly nmap my FreeBSD 4.10 machine configured with ipfirewall,
>> I get the message "Too many dynamic rules, sorry". Doing a sysctl -a
>> |grep ip.fw I can see the the net.inet.ip.fw.dyn_count has reached the
>> max value of 8192 that I set. The net.inet.ip.fw.dyn_ack_lifetime is set
>> to 300, so the dynamic rule count starts going down after about 5
>> minutes after the simulated attack.
>>
>> Questions:
>>
>> When this happens, if my firewall still fully operational, in other
>> words can I safely ignore this message?
>>
>> Is there a way to fix this?
>>
> 
> 
> The error "Too many dynamic rules, sorry" will cause the system to drop 
> any packets that are covered by a keep-state entry. So, the firewall, 
> while operational, is in a dead lock down state for any outbound traffic 
> until the dynamic rules clear out. I'm hoping that you're checking the 
> system with nmap from behind it, because if your outside the firewall, 
> then you're keeping state in inbound traffic and that's bad. You only 
> want keep-state from traffic leaving that system, not to it.
> 
> -- 
> 
> Micheal Patterson
> TSG Network Administration
> 405-917-0600
> 
> Confidentiality Notice:  This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe@freebsd.org"
> 
Thanks for your help.

I was running nmap against my public or outside interface. This is my
first FreeBSD firewall, so I am sure my rules are not optimal, however,
the firewall appears to be doing what I want. I gathered these rules
from a number of how-to's and postings on the web with only a partial
understanding of what they actually do (yes, I know, problem # 1).
Here are the rules that I have that keep-state on the outside interface:

#For DNS
add 01300 pass udp from ${oip} to any 53 keep-state
# For NTP
add 01400 pass udp from ${oip} to any 123 keep-state
# For VPN
add 01500 pass gre from any to any keep-state
# For ICMP
add 01600 pass icmp from any to any via ${oip} keep-state

Do you think these are causing the problem?

Norm Vilmer



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414AF79C.4030809>